Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-12-2024 23:25
General
-
Target
ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
-
Size
450KB
-
MD5
cd005dbadf071616082e110600abc48d
-
SHA1
c111f671078a2fc46ec46c501e96079cf97e10c7
-
SHA256
ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f
-
SHA512
d1960751778de17ee541669a51c0c7ea7a007af39fb5a957cb28f08d02819b08ce417c24e1f8b83e401ab2dd5cbd524b2ba1e1b83cf1d1f75291aff52b8af87c
-
SSDEEP
12288:ifH22qla5w/yXbx+DbZ83FLDqqC5l/40PVc:ifH0MW/Ibx+DbZ83pqp5l/
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
*p=N(5r?6=L*
Extracted
formbook
4.1
fs44
whneat.com
jljcw.net
pocodelivery.com
outofplacezine.com
yavuzcansigorta.com
xinhewood-cn.com
cartogogh.com
5avis.com
joyceyong.art
digitalsurf.community
blackcreekbarns.com
magazinedistribuidor.com
sportsgross.com
drevom.online
mayibeofservice.com
gareloi-digit.com
permitha.net
renaissanceestetica.com
facts-r-friends.com
dach-loc.com
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Blustealer family
-
Detect PureCrypter injector 1 IoCs
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Purecrypter family
-
Formbook payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe"C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 102⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dtyjdrkcyvvjlatasks.exe"C:\Users\Admin\AppData\Local\Temp\Dtyjdrkcyvvjlatasks.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exeC:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5e2c915e5f775cd76f53cab4eede03ba6
SHA12ec952debae802353c29098ca010244d8ff974b5
SHA25619b271898408a5180f1d0d79fc9b316375edb63f509ae8eda49b73cdf8f83f74
SHA512cfee769e8e029a1891a6d45ab92a681604dd6e0818794f03765122d4070c8b6edfa4ce5358fd7258629a6843f4d3b2a236fb04d8fea9f45769245ebbcf38d785
-
Filesize
304KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
6.9MB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
3.0MB